Spring Security AuthenticationEntryPoint is not triggered on invalid bearer token

Describe the bug I have a Spring application that configures a custom AuthenticationEntryPoint (I add it simply to log authentication errors that may cause 401s, like missing authorization header or invalid bearer token).

        http.authorizeRequests().
                antMatchers(permitUrls).permitAll().
                anyRequest().authenticated().
                and().
                oauth2ResourceServer().
                jwt();
        http.csrf().disable();
        http.cors();

        http.exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint());

The problem: if I omit the "authorization" header completely, AuthenticationEntryPoint is indeed triggered. If I put invalid JWT token in it, I see an exception in BearerTokenAuthenticationFilter: "Authentication request for failed!" but my AuthenticationEntryPoint is not called.

To Reproduce Configure an application with code above^ and make any request with an invalid "authorization" header. Spring Security version: 5.3.3.RELEASE.

Expected behavior CustomAuthenticationEntryPoint is called.

Comment From: akohli96

What authentication entrypoint is it calling? Default one?

Comment From: jzheaux

@patkovskyi, thanks for reaching out. Please instead specify the entry point directly to the authentication mechanism, like so:

http
    .authorizeRequests()
        // ...
    .oauth2ResourceServer()
        .authenticationEntryPoint(new CustomAuthenticationEntryPoint())
        .jwt()
        // ...

This will automatically configure exceptionHandling() to use your CustomAuthenticationEntryPoint as well.